TL;DR: Most of the headline state consumer privacy laws - CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar - explicitly exempt government agencies from their consumer-rights provisions. But government agencies are typically still subject to state-specific public records laws, state privacy statutes (for example, California’s IPA, New York’s PPPL, Washington’s RCW 42.56), state breach notification laws, sector-specific laws (education, health, motor vehicle), and the federal Privacy Act if they receive federal funds. Practically, agencies should still publish a clear privacy policy, be transparent about analytics and cookies, and treat resident data with the same care commercial sites are now required to.
The last seven years have seen an explosion of state consumer privacy laws in the United States. As of mid-2026, roughly 20 states have enacted comprehensive consumer privacy laws, and most major commercial websites now operate under a patchwork of CCPA, CPRA, CDPA, CPA, CTDPA, UCPA, and similar regimes. The question for government agency websites is: do any of these apply to us?
The short answer is: usually not directly, but the obligations on government agencies are still substantial - just in different statutes. This post walks through which laws apply to which agencies, where the exemptions are, and what agencies should be doing about privacy in practice.
The Big Consumer Privacy Laws - And Why Government Is Mostly Exempt
California: CCPA and CPRA
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the gold standard of US state privacy law. It applies to “businesses” that meet certain thresholds and process personal information of California residents.
Government agencies are not “businesses” under the CCPA’s definition. The statute applies to entities operated “for the profit or financial benefit of [their] shareholders or other owners.” State and local government agencies are excluded.
That does not mean California government agencies are unregulated. They are subject to the California Information Practices Act of 1977 (Civil Code 1798 et seq.), the original California state-government privacy statute. The IPA covers state agencies’ collection, use, and disclosure of personal information, and includes rights of notice, access, correction, and accounting of disclosures. Local government agencies in California are subject to the California Public Records Act and various sector-specific statutes.
Virginia CDPA
The Virginia Consumer Data Protection Act applies to “persons that conduct business in the Commonwealth” or that produce products targeted to Virginia residents. Government agencies are explicitly exempted - the CDPA does not apply to “any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth.”
Virginia government agencies remain subject to the Virginia Government Data Collection and Dissemination Practices Act, the Virginia Freedom of Information Act, and the Personal Information Privacy Act for specific data categories.
Colorado CPA
The Colorado Privacy Act has similar applicability language to Virginia and similarly excludes state and local government from the consumer-rights framework. Colorado has separate state-government privacy provisions in its statutes.
Connecticut, Utah, Iowa, Tennessee, Texas, and Others
The pattern repeats. The Connecticut Data Privacy Act, Utah Consumer Privacy Act, Iowa Consumer Data Protection Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Delaware Personal Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Privacy Act, Indiana CDPA, Montana CDPA, Florida Digital Bill of Rights, and most others all exempt state and local government agencies from the consumer-rights framework.
Washington
Washington has not enacted a comprehensive consumer privacy law (the “Washington Privacy Act” failed to pass repeatedly), but did enact the My Health My Data Act in 2023, which has narrow but stringent requirements for “consumer health data.” That law has some carveouts for government but is not as clean as the comprehensive laws.
So Why Do So Many Government Sites Have CCPA Notices?
If you look at state and local government websites in California, you will often find a “Do Not Sell My Personal Information” link, CCPA opt-out forms, and CCPA-style privacy notices. There are two reasons:
- Caution. Lawyers reasonably reasoned that even if government is exempt from CCPA, providing CCPA-style notices and choices is low-cost and defends against any future regulatory or legislative expansion.
- Vendor obligations. Many government sites use commercial vendors (analytics, advertising, video, marketing automation) that themselves are subject to CCPA when they handle California residents’ data. The vendor’s CCPA obligations can flow through contractually to the government client. Hence: the cookie banner.
What Does Apply to Government Websites
State Privacy Statutes for State Agencies
Most states have a statute analogous to California’s IPA - originally enacted in the 1970s or 1980s and updated since - that governs state government data practices. Examples:
- California: Information Practices Act of 1977.
- New York: Personal Privacy Protection Law.
- Washington: RCW 42.56 (Public Records Act) plus various sectoral statutes.
- Illinois: Personal Information Protection Act.
- Massachusetts: Fair Information Practices Act.
- Virginia: Government Data Collection and Dissemination Practices Act.
These statutes typically require agencies to publish a privacy notice, limit data collection to what is necessary, allow individuals to access and correct their records, restrict disclosure without consent or legal authority, and report data breaches.
Public Records Laws
Every state has a public records law analogous to the federal Freedom of Information Act. Public records laws operate in tension with privacy: most records held by government are public by default unless an exemption applies. The exemptions vary by state but typically cover personally identifying information, medical records, juvenile records, certain personnel information, and ongoing investigations.
For privacy purposes, agencies need to understand:
- What information they collect is presumptively a public record.
- What categories are exempt from disclosure.
- How to redact records to remove exempt information before release.
State Breach Notification Laws
All 50 states, the District of Columbia, and several territories have data breach notification laws. These typically require notification when “personal information” - usually defined to include name plus Social Security number, driver’s license number, financial account information, and sometimes biometric or health data - is acquired without authorization.
State breach notification laws generally apply to government agencies. The specific notification timelines and requirements vary substantially: some states require notification within 30 days, others use a reasonableness standard. Some require notification to the state attorney general; some do not.
Sector-Specific Laws
Specific kinds of government data are governed by specific federal and state laws:
- Education records: FERPA at the federal level, plus state student privacy laws (California’s SOPIPA, Connecticut’s student data privacy law, etc.).
- Health information: HIPAA at the federal level for covered entities, plus state laws like Washington’s MHMDA and various state confidentiality statutes for mental health, HIV, and substance abuse records.
- Motor vehicle records: The federal Driver’s Privacy Protection Act restricts disclosure of motor vehicle records held by state DMVs.
- Library records: Almost every state has a statute protecting library patron records.
- Tax records: Both federal and state law sharply restrict disclosure of tax records by tax authorities.
For government sites that handle these kinds of data, sectoral laws often impose stricter requirements than any general privacy law would.
Data Broker Registration
A handful of states (California, Vermont, Texas, Oregon) require data brokers to register annually with the state. These laws generally do not apply to government agencies in their normal operations but can apply to government entities that buy or sell personal information in commercial-like transactions.
Federal Privacy Act
The federal Privacy Act of 1974 governs federal agencies’ handling of personally identifiable information in “systems of records.” It does not apply to state and local agencies directly, but state agencies that receive federal funding or that operate federal programs may be subject to Privacy Act requirements via federal regulations or grant conditions.
Practical Implications for Government Websites
Publish a Real Privacy Policy
Even if no state consumer privacy law strictly requires it, every government website should publish a clear, accurate privacy policy. The privacy policy should describe:
- What information the site collects automatically (logs, IP addresses, browser info).
- What information the site collects through forms (and what statutory authority requires it).
- What analytics, cookies, and third-party services are used.
- How the information is used and with whom it is shared.
- How long it is retained.
- How residents can access, correct, or request deletion of their information under applicable state law.
- How residents can file privacy complaints.
- Contact information.
See our government website privacy policy guide for a template and best practices.
Cookie and Analytics Transparency
State consumer privacy laws may not technically require government cookie banners, but transparency about analytics is still a strong best practice and may be required by state-government-specific statutes. Many agencies have moved off Google Analytics in favor of self-hosted or privacy-preserving alternatives (Matomo, Plausible, Fathom) to reduce the privacy and compliance footprint.
If you do use tracking analytics, see our cookie banner requirements guide for how to do it well.
Minimize Data Collection
The strongest privacy posture is collecting less data. Audit every form on the site:
- Is each field actually required for the underlying service?
- Is the agency’s legal authority to collect it clear?
- Are sensitive fields (SSN, financial info, health info) actually necessary?
- Are optional fields clearly marked?
Vendor Management
Most government sites use multiple third-party vendors that process resident data. For each vendor:
- Confirm a current contract is in place.
- Confirm the contract includes data protection language appropriate to the data involved.
- Confirm the vendor is subject to (and where applicable, compliant with) any state consumer privacy laws that flow through to them.
- Maintain a current inventory of vendors and data flows.
Breach Preparedness
State breach notification laws are unforgiving about delays. Every agency should have:
- A documented incident response plan.
- Contact information for the state attorney general and any required notification recipients.
- Pre-drafted breach notification templates.
- A relationship with outside counsel for high-severity incidents.
Equity Considerations
Privacy on government sites is also an equity issue. Residents using public computers, shared devices, or older browsers cannot necessarily opt out of analytics or block trackers. The agency’s privacy practices effectively become the default for everyone interacting with government services. That is one more reason to minimize data collection and vendor footprint by default.
State-by-State Snapshot
A non-exhaustive look at how the major comprehensive privacy laws treat government:
| State | Comprehensive Law | Applies to Gov? | Separate Gov Statute |
|---|---|---|---|
| California | CCPA/CPRA | No | Yes (IPA 1977) |
| Virginia | CDPA | No | Yes (GDCDPA) |
| Colorado | CPA | No | Yes (Colo. Rev. Stat. 24-72) |
| Connecticut | CTDPA | No | Yes |
| Utah | UCPA | No | Yes |
| Iowa | ICDPA | No | Yes |
| Tennessee | TIPA | No | Limited |
| Texas | TDPSA | No | Yes |
| Oregon | OCPA | No (gov exempt) | Yes |
| Montana | MCDPA | No | Yes |
| Florida | FDBR | No | Yes |
| Delaware | DPDPA | No | Yes |
| New Jersey | NJDPA | No | Yes |
| New Hampshire | NHPA | No | Yes |
| Indiana | CDPA | No | Yes |
(The picture is constantly evolving; check current law before relying on this.)
Privacy as Part of Compliance, Not Apart From It
Privacy on a government website cannot be treated in isolation. It connects to:
- Accessibility: privacy notices must themselves be accessible.
- Security: the security headers and CISA guidance that protect resident data are part of privacy practice.
- Procurement: vendor VPATs often include privacy and data protection sections.
- Cookie banners: accessible, non-shifting cookie patterns are part of a coherent privacy UX.
The overall compliance checklist for a government website should treat privacy as a peer of accessibility, security, and content quality, not an afterthought.
Monitor What You Publish
Privacy on a government site is easy to lose track of. A marketing team adds a tracking pixel for a campaign. A vendor swaps in a new analytics provider. A CMS update adds default font-loading from a third-party CDN. Any of these can quietly change your privacy posture without anyone updating the privacy policy.
Govzu continuously monitors government websites for third-party scripts, cookies, fingerprinting, and other privacy signals, and alerts your team when new tracking appears or privacy policies fall out of sync with what the site is actually doing - so the privacy commitments you make to residents stay accurate.